Thursday, April 4, 2024

Review - CISA Publishes CIRCIA Support NPRM

Today, CISA published a notice of proposed rulemaking in the Federal Register (89 FR 23644-23776) for Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) Reporting Requirements. This rule is required by 6 USC 681b. Subsection (a) requires covered entities to report to CISA within certain prescribed timeframes any covered cyber incidents, ransom payments made in response to a ransomware attack, and any substantial new or different information discovered related to a previously submitted report. This rulemaking proposes regulations under a new 6 CFR 221, Covered Cyber Incident and Ransom Payment Reporting.

The NPRM Organization

CISA has organized this lengthy NPRM into six sections:

Section I - Public Participation,

Section II - Executive Summary,

Section III - Background and Purpose,

Section IV - Discussion of Proposed Rule,

Section V - Statutory and Regulatory Analyses, and

Section VI - Proposed Regulatory Text.

Public Comments

CISA is soliciting public comments on the proposed rule. In many places in the NPRM CISA provides specific questions for which it is requesting comments from the public. Comments may be submitted via the Federal eRulemaking Portal (; Docket # CISA-2022-0010). Comments should be submitted by June 3rd, 2023. While CISA is working under a legislative deadline on this rulemaking (final rule due September 15th, 2025), because of the complexity of the proposed regulatory scheme and the potential costs of the rule, I expect that there will be multiple requests for an extension of the comment deadline.

I will be providing additional information about various portions of the proposed regulations in future blog posts.


For more information on the layout of the NPRM and the discussions provided, see my article at CFSN Detailed Analysis - - subscription required.

No comments:

/* Use this with templates/template-twocol.html */